New Bizarro Sundown Exploit Kit Spreads Locky

A new exploit kit has arrived which is spreading different versions of Lockyransomware. We spotted two cases of this new threat, which is based on the earlier Sundown exploit kit. Sundown rose to prominence (together with Rig) after the then-dominant Neutrino exploit kit was neutralized.

Called Bizarro Sundown, the first version was spotted on October 5 with a second sighting two weeks later, on October 19. Users in Taiwan and Korea made up more than half of the victims of this threat. Bizarro Sundown shares some features with its Sundown predecessor but added anti-analysis features. The October 19 attack also changed its URL format to closely resemble legitimate web advertisements. This second version is called GreenFlash Sundown. Both versions were used exclusively by the ShadowGate/WordsJS campaign.

First identified in 2015, the ShadowGate campaign targeted Revive and OpenX’s open-source advertising servers that have been locally installed. Once compromised, the servers act as gateways to the exploit kit for malware distribution. Some of the domains associated with this campaign were taken down. Recently, we saw the campaign using 181 compromised sites to deliver ransomware. In September we saw ShadowGate using the Neutrino exploit kit to drop a variant of Locky (with the encrypted files having the .zepto extension). On October 5, the campaign shifted to Bizarro Sundown. Two weeks later (October 19), a modified version of Bizarro Sundown (GreenFlash Sundown) was spotted.

Scale and Distribution of the Attacks

The number of Bizarro Sundown victims leads to an interesting finding right away: the number of victims drops to zero on weekends.

Figure 1. Timeline and number of Bizarro Sundown victims

We observed the ShadowGate campaign closing their redirections and removing the malicious redirection script from the compromised server during weekends and resuming their malicious activities on workdays. As for distribution, more than half of the victims were located in only two countries: Taiwan and South Korea. Germany, Italy, and China rounded out the top five countries.

Figure 2. Distribution of Bizarro Sundown attacks, per country basis

Description of the Attacks

Bizarro Sundown targeted a memory corruption vulnerability in Internet Explorer (CVE-2016-0189, fixed in May 2016) and two security flaws in Flash: a type confusion vulnerability (CVE-2015-7645) and an out-of-bound read bug (CVE-2016-4117). The first of these was fixed a year ago (October 2015), with the second patched earlier this year (May 2016). Bizarro Sundown’s second version leveraged only the two Flash exploits.

Bizarro Sundown attacks shared a similar URL format as Sundown. However, it obfuscates its landing pages differently, without using a query string. Bizarro Sundown also added anti-crawling functionality. An increasingly common feature found in exploit kits today, anti-crawling functions are designed to defeat automated crawlers used by researchers and analysts. It was used to deliver a Locky variant which appended the .odin extension for encrypted files.

Two weeks later, we saw a new version of Bizarro Sundown that included changes to its redirection chain; its URLs are now more similar to typical advertising traffic. This version was given the name GreenFlash Sundown. It can now be integrated more directly into ShadowGate’s new redirection method, which used to rely on scripts to route potential victims to malicious servers. It utilizes a malicious Flash (.SWF) file for this purpose.

This file determines the version of Flash Player installed, which is relayed to the exploit kit via a query string. Bizarro Sundown uses that information to deliver the appropriate Flash exploit. This can be seen as a way to streamline redirections by removing intermediaries (landing pages) from the infection chain. During this time, we’ve seen ShadowGate delivering another Locky variant (detected by Trend Micro as RANSOM_LOCKY.DLDSAPZ) that appends a .thor extension to encrypted files.

Figure 5. Part of code that determines the version of Flash Player installed on the system (click to enlarge)

Mitigation

While a solid backup strategy is a good defense against ransomware, doubling down on sound patch management helps further secure the device’s perimeter. Keeping the operating system and other installed software up-to-date mitigates the risks of exploits targeting vulnerabilities that have already been fixed by software vendors.

Users and enterprises can also benefit from a multilayered approach to security—from gateway, endpoints, networks, and servers. Using a security solution that can proactively provide defense against attacks leveraging system and software vulnerabilities is also recommended.

Hat tip to @kafeine whom we collaborated with in this research/analysis

Some of the indicators of compromise (IoCs) include:

SHA1 detected as RANSOM_LOCKY.DLDSAPZ

867ed6573d37907af0279093105250a1cf8608a2

Related to ShadowGate:

jewelry[.]earwhig[.]net

ads[.]phoenixhealthtechnology[.]com

Related to Bizarro Sundown Exploit Kit:

aided[.]theteragroup[.]com

references[.]vietnamesebaby[.]com

ads[.]dubleywells[.]com

Updated on November 5, 2016, 09:45 AM (UTC-7)

We clarified what was originally written in the third paragraph regarding how domains used by ShadowGate were taken down. We also listed SHA-1 which we detect as RANSOM_LOCKY.DLDSAPZ, and some of the IoCs related to ShadowGate and Bizarro Sundown.

Updated on November 8, 2016, 09:00 PM (UTC-7)

We have clarified the naming of the second attack, which is called GreenFlash Sundown.

Updated on December 14, 2016, 12:15 AM (UTC-7)

Further analysis has indicated that the vulnerability used was CVE-2015-7645 instead of CVE-2015-5119. We have updated the text accordingly.

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.